credit card breach

A data breach isn't always the work of a high-tech malware hack. Sometimes it can stem from unintentional or malicious act of an employee, especially if that employee believes corporate data belongs to them.

It's not a far-fetched scenario, according to “Insider Data Breach,” a survey of 4,000 U.S.- and U.K.-based employees commissioned by Egress Software Technologies and conducted by Opinion Matters. The survey found that 29 percent of respondents believed they owned company data. 

To combat that misconception and ensure company data isn't misused by employees, lawyers recommend implementing training and technology that limits mishandling of data on employee- and company-owned devices.

Before deploying any software safeguards or employee guidelines, an organization must assess what information is critical to the company. Next, policies should be implemented and practiced that focus on securing sensitive data against inter-company and third-party breaches.

However, with more employees working from their personal devices, including lawyers, company data is being shared on non-company devices. Still, organizations can ensure data is being used properly.

“The best practice is to let you use your own device but not have actual company information stored on that device,” said Danielle Vanderzanden, a shareholder at Ogletree, Deakins, Nash, Smoak & Stewart and co-chair of Ogletree's data privacy practice group. “The device is just a method to accessing the company's server and repositories through multi-factor authentication.”

Along with software that protects company data, there should be specified guidelines in place for the use of  personal devices at work.

“Before employers allow employees to use their personal devices for work, the employer should implement a dual use program or bring-your-own-device program that establishes very specific rules for participation in the program,” said Philip Gordon, a Littler Mendelson shareholder and privacy and background checks practice group co-chair.

He added it's important to have a policy for employees signing confidential or nondisclosure agreements concerning devices. “The agreements can provide an opportunity for the organization to remind employees about their obligations as data stewards,” he said. “And perhaps more important, if employees leave and take sensitive data with them, the employer has an easy basis for going to court and requesting relief.”

While employee guidelines provide written acknowledgment of a work procedure, software installed on a personal devices can also limit how an employee interacts with company data remotely—with consent, of course.

“It's very important to ensure the employer retains the right to remotely remove that company data from that device in the event the employer and employee part ways,” Vanderzanden said. 

Gordon noted, however, that it's essential for an employer to obtain prior authorization to remotely delete data from a personal device. “It's unlawful for an employer to wipe information from an employee's phone without their consent.”

Safeguards against employers' accidental data breaches on company computers also include technical controls. After all, the Egress-commissioned survey reported 45 percent of employees who accidentally shared information sent it to the wrong person.

“[Companies can] carefully identify who by job category is authorized to access particular types of data and what data can they access and then using technical controls like access lists,” Gordon said. “For example, individuals in payroll may need access to all payroll-related data, but they don't need access to all HR data.”

Such a limitation may reduce the probability of an employee breaching data, but it isn't perfect. “There's always going to be an issue,” said Rebecca Rakoski, managing partner at XPAN Law Group. “Being secure is a fallacy: There is no being secure. What you want to be is prepared.”